LONDON — This weekend’s devastating global cyber-attack offered a sobering lesson in what happens when software vulnerabilities fall into the wrong hands.
An exploit in Microsoft Windows developed by the NSA (National Security Agency), a US spy agency, leaked online earlier this year. It was then used to turbo-charge a piece of ransom-demanding malware (“WannaCry” or “WannaCrypt”), which rampaged around the world on Friday, causing chaos in hospitals, factories, and telecoms firms.
But now it looks like WannaCry wasn’t the first piece of malware in the wild to exploit the “EternalBlue” vulnerability.
In a blog post published on Monday, security firm Proofpoint wrote that they have detected “another very large-scale attack” that makes use of the same NSA tech.
It’s a botnet, called “Adylkuzz,” that infects victims’ computers and makes them secretly mine a cryptocurrency called Monero to make money for the attackers — and it seems to have pulled in tens of thousands of dollars.
For context: Cryptocurrencies — the most famous of which is bitcoin — are decentralised digital currencies that operate without any central bank. Typically, new “coins” are created by “mining”: Devoting your computer’s processing power towards the upkeep of the network in return for a reward.
This financial incentive means that some people become professional “miners,” building dedicated rigs with specialised hardware that do nothing but mine cryptocurrencies. It also means that hackers sometimes try and hijack people’s computers to mine cryptocurrencies without them realising — making the attacker a tidy profit at the expense of the victim’s computer’s performance.
That’s what has been happening here, according to Proofpoint. The firm’s researchers wrote that it has been going on since at least May 2, “and possibly as early as April 24,” significantly before the spread of WannaCry.
It has (until now) largely flown under the radar, and the botnet has caused infected computers to run slowly: “Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance. Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity.”
Although we don’t know exactly who was infected with Adylkuzz, it seemed to have spread pretty widely. “Within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” Proofpoint wrote.
This suggests that many of the organisations hit with WannaCry — the NHS, Telefónica, and so on — may also have been infected with Adylkuzz beforehand.
According to Proofpoint’s analysis, at least $43,000-worth of Monero has been raised by the as-yet unidentified attackers behind Adylkuzz. (WannaCry, meanwhile, has made more than $66,000, and the figure is still rising.)
— Ransom Tracker (@ransomtracker) May 16, 2017
The vulnerability that Adylkuzz and WannaCry exploited was patched im March this year — before either began to spread. But because many organisations hadn’t updated their software, they remained vulnerable.
On Monday, Microsoft published a blog post excoriating the NSA for “stockpiling” software exploits and their subsequent leak online by hacking group “ShadowBrokers.” “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” wrote president Brad Smith. “The governments of the world should treat this attack as a wake-up call.”